package com.cssiot.webApi.interceptor;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

public class SqlInjectIntercepter implements HandlerInterceptor {

	@Override
	public void afterCompletion(HttpServletRequest arg0,
			HttpServletResponse arg1, Object arg2, Exception arg3)
			throws Exception {

	}

	@Override
	public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
			Object arg2, ModelAndView arg3) throws Exception {

	}

	@SuppressWarnings({ "rawtypes", "unused" })
	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
			Object arg2) throws Exception {
		response.setContentType("text/html;charset=utf-8");
//		String path=request.getServletPath();
		// 获得用户请求的URI
		String rootPath = ((HttpServletRequest) request).getRequestURI();
//		请求路径
		String path=request.getServletPath();
		path=path.substring(path.lastIndexOf("/")+1, path.length());
//		项目路径
		 String contextPath = request.getContextPath();
	/*	if(path.contains("tlogin")||path.contains("jspCheck.htm")||path.contains("login.htm")||path.contains("get_kaptcha.htm")||path.contains("check_captcha.htm")){
			return true;
		}else{*/
		Enumeration enu=request.getParameterNames();
		String url=request.getRequestURI();
		if(url!=null&&url.contains("saveAppLogInfo")){
			String pv=request.getParameter("appLogInfo");
			if(pv!=null)
//				pv.replaceAll("$", "#");
			return true;
		}
		String flt ="'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|+|grant|drop";
		String filter[] = flt.split("\\|"); 
		/*while(enu.hasMoreElements()){
			String paraName=(String)enu.nextElement();
			String pv=request.getParameter(paraName);
			if(!ChkUtil.chkParamSqlInject(pv)){
				if (request.getHeader("x-requested-with") == null) {    // 用这个来判断是否为ajax请求
					response.sendRedirect(contextPath+"/login/error.htm");
					return false;
                } else {
                	response.getWriter().print(ResponseUtils.buildResultJson(false, "禁止影响系统安全的操作"));
                	return false;
                }
				
				
			}
		}*/
		
		while(enu.hasMoreElements()){
			String paraName=(String)enu.nextElement();
			String pv=request.getParameter(paraName);
			for(int i=0;i<filter.length;i++){
				if(pv.contains(filter[i])){
//					request.getParameter(paraName).replace(filter[i], "");
//					response.sendRedirect("tlogin.htm"); 
//					request.getParameter(paraName).replace(filter[i], "");
//					response.setContentType("text/html;charset=utf-8");
//					response.getWriter().print("请不要尝试注入,请点击<br><a href='javascript:;' onclick='history.go(-2)'>返回</a>");
					response.setContentType("text/html;charset=utf-8");
					if (request.getHeader("x-requested-with") == null) {    // 暂时用这个来判断是否为ajax请求
						response.sendRedirect(contextPath+"/login/error.htm");
						return false;
                    } else {
//                    	response.getWriter().print(ResponseUtils.buildResultJson(false, "禁止影响系统安全的操作"));
                    	return false;
                    }
				}
			}
		}
		return true;
  }

}
